The War Z taken offline following hack that exposed user passwords

E-mail addresses, player data and other personal information also exposed.

The War Z, a first-person zombie shooter game with 600,000 players, has been taken offline after attackers gained access to e-mail addresses and password data used to play the game and log in to user forums.

The data exposed in the breach also included in-game character names, the IP addresses players used to access user forums and the game, and any other data contained in the forum or game databases, an advisory posted by game developer Hammerpoint Interactive warned. It said the game and forums will be unavailable while outside experts and investigators pinpoint the cause of the compromise. Payment information was not exposed because payments are processed by a third-party and not on TheWar Z systems.

"If you posted other information to the forum it is likely that such data was accessed as well," the advisory stated. "We do not collect the names or addresses of our gamers so that information was not impacted unless you posted it on the forum. We are investigating whether additional information may have been obtained." The notice warned that e-mail addresses used to register for the game were also obtained.

The advisory said the passwords were "encrypted," which most likely means they were passed through a one-way cryptographic hash algorithm that converts plaintext such as "password" into a theoretically unique string of characters such as "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8." The advisory didn't say what algorithm was used or if cryptographic "salt" was added, so without those details, the assurance about encryption is largely meaningless. As Ars documented last year, advances in password cracking can quickly ferret out all but the strongest of passwords unless website operators take pains to thwart those techniques. Chief among them is the use of bcrypt, scrypt, or other hash algorithms specifically designed to store passwords. SHA1, MD5 and most other algorithms should never be used to hash passwords.

Readers who had TheWar Z accounts should change their passwords immediately. Passcodes should be randomly generated and a minimum of 10 characters that include numbers, letters and symbols. They should also be unique. Readers who used their War Z password to log in to other sites should change their passcodes for those sites, as well.

Hammerpoint Interactive's advisory said that investigators have already "identified number of ways access was obtained and have enhanced our security to improve game and forum safety. We are undertaking a full review and update of our servers and the services we use and adding additional security mechanisms." The company is e-mailing customers to make sure everyone affected is aware of the breach. Hammerpoint reportedly claims that TheWar Z has 600,000 registered users and a daily player count of 150,000.

"This has been a humbling experience for us," the advisory stated. "While we all know that there is no guaranty of security on the Internet, our goal is to try our very best to protect your data. We sincerely apologize."